This is to announce the solution of the SSL challenge posted by Hal
Finney on July 17, 1995 (message-ID: <3u6kmg$>),
also found at:

The 40-bit secret part of the key is 7e f0 96 1f a6.  I found it by a brute
force search on a network of about 120 workstations and a few parallel
computers at INRIA, Ecole Polytechnique, and Ecole Normale Superieure.
The key was found after scanning a little more than half the key space
in 8 days. 

The cleartext of the encrypted data is as follows:

The SERVER-VERIFY message is:

9C B1 C7 83 D9 BB B7 75 01 6F 19 19 03 58 EC 05     MAC-DATA
05                                                  MSG-SERVER-VERIFY
AF 84 A7 79 F8 13 69 20 25 9B 53 A0 60 AE 75 51     CHALLENGE

The CHALLENGE part is a copy of the challenge sent by the client in its
first message.

The answer is the CLIENT-FINISHED message:

22 BB 23 39 55 B0 7F B6 1A B0 35 85 F7 DB C1 E5     MAC-DATA
03                                                  MSG-CLIENT-FINISHED
BF EB 90 F8 2C 0C E1 EA 18 AC 11 4C 83 14 21 B6     CONNECTION-ID

The next message is SERVER-FINISHED:

D4 CD F3 4E 38 F1 2B 1E DC FD 72 C8 34 02 CD FF     MAC-DATA
06                                                  SERVER-FINISHED-BYTE
23 1C 05 40 60 72 49 6E 83 BA D1 28 CC 9B 5F 63     SESSION-ID-DATA

Then comes the data message sent by the client.  This is the juicy one.
I have broken the contents into its fields (the body was just one long

72 23 B5 98 0D D0 07 1A DA F1 C7 A4 40 41 5A 10     MAC-DATA
POST /order2.cgi HTTP/1.0
User-Agent: Mozilla/1.1N (Macintosh; I; PPC)
Accept: */*
Accept: image/gif
Accept: image/x-xbitmap
Accept: image/jpeg
Content-type: application/x-www-form-urlencoded
Content-length: 472


This order came from Mr Cosmic Kumquat, SSL Trusters Inc.,
1234 Squeamish Ossifrage Road, Anywhere, NY 12345 (USA).

Unfortunately, Mr Kumquat forgot to give his phone number, and the
server's reply (in two packets) is:

09 12 AD FE A5 A9 BF D1 8C 8C E2 6A A3 48 B9 75    MAC-DATA
HTTP/1.0 200 OK
Server: Netscape-Commerce/1.1
Date: Wednesday, 12-Jul-95 05:40:30 GMT
Content-type: text/html

1C CD C4 3D 80 F1 7B 94 11 AC E8 72 B1 99 BC FA    MAC-DATA
The shipping address you supplied is not complete.  The street address,
city, state, zip code, country and phone number are mandatory fields.
Please go back and specify the full shipping address.  Thank you.

This result was found with a quick-and-dirty distributed search program,
which I wrote when I realized that the cypherpunks were going to be a few
weeks late with their collective effort.  When the program was running,
it took little more than one week to find the key (it would have taken about
15 days to sweep the entire key space).  I ran it on almost all the machines
I have access to, summarized in the following table:

type                  speed (keys/s)    number     notes
DEC (alpha)           18000-33000        34
DEC (MIPS)            2500-7500          11
SPARC                 2000-13000         57
HP (HPPA/snake)       15000              3
Sony (R3000)          1100-4000          3
Sun 3                 600                2
Sequent B8000         100 x 10           1         (1)
Multimax (NS532)      600 x 14           1         (1)
KSR                   3200 x 64          1         (1) (2)

1.  These are multiprocessor machines
2.  The KSR spent only about 2 days on this computation.

The total average searching speed was about 850000 keys/s,
with a maximum of 1350000 keys/s (1150000 without the KSR).


* Cypherpunks write code, all right, but they shouldn't forget to run it.

* Many people disagree with my conclusion about credit card numbers,
because they are not really secret, and there are many easier ways to
get the numbers.  They are right, of course.

I want to thank the people at INRIA, Ecole Polytechnique, and Ecole
Normale Superieure for giving their CPU time.  (Most of them are on
vacation anyway...)

You can find a copy of this text at